Check if user can log time to project

Make sure the user is able to log time a project before creating a task. Even though we check in the front end is possible people who use scripts to log time to any project, so we need to check here as well.
Igalia · Jan 19, 2024 · 3dfd471 · 3dfd471
1 parent d651843
commit 3dfd471
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/api/tests/utils/mock_data.py b/api/tests/utils/mock_data.py
@@ -1,6 +1,6 @@
 from models.area import Area
 from models.customer import Customer
-from models.project import Project, ProjectAllocation
+from models.project import Project, ProjectAllocation, ProjectAssignment
 from models.timelog import Task, TaskType, Template
 from models.user import User, UserGroup, UserRoles
 from models.sector import Sector
@@ -127,6 +127,15 @@
             }
         ],
     ),
+    (
+        ProjectAssignment,
+        [
+            {
+                "user": 2,
+                "project": 1,
+            }
+        ],
+    ),
     (
         TaskType,
         [

diff --git a/web/services/createTasksService.php b/web/services/createTasksService.php
@@ -29,6 +29,7 @@
     define('PHPREPORT_ROOT', __DIR__ . '/../../');
     include_once(PHPREPORT_ROOT . '/web/services/WebServicesFunctions.php');
     include_once(PHPREPORT_ROOT . '/model/facade/TasksFacade.php');
+    include_once(PHPREPORT_ROOT . '/model/facade/ProjectsFacade.php');
     include_once(PHPREPORT_ROOT . '/model/vo/TaskVO.php');
     include_once(PHPREPORT_ROOT . '/model/OperationResult.php');
 
@@ -207,9 +208,15 @@
 
                 $taskVO->setUserId($user->getId());
 
-                if (is_null($taskVO->getProjectId()))
+                // Get projects user is assigned to to make sure they can log time to them
+                $projects = ProjectsFacade::GetAllProjects($user->getLogin());
+                $projectIdList = [];
+                foreach ($projects as $project) {
+                    $projectIdList[] = $project->getId();
+                }
+                if (is_null($taskVO->getProjectId()) || !in_array($taskVO->getProjectId(), $projectIdList))
                 {
-                    $string = "<return service='createTasks'><success>false</success><error id='4'>projectId is not valid</error></return>";
+                    $string = "<return service='createTasks'><success>false</success><error id='4'>Project is not valid or you are not allowed to log time to this project</error></return>";
                     break;
                 }
                 //Support 0-hour tasks: reparse end time if initTime == 0 to the end so that order of parse doesn't cause error if end time added before init time by users